Containment refers to restrictions on a computer system which prevent user-space applications from performing certain actions. In particular, containment is achieved by forcing a large untrusted application to utilize a smaller trusted application to perform certain actions. By forcing the larger application to do so, the smaller application may ensure that the larger application does not perform undesirable actions, such as interfering with other applications.
One aspect of containment is restricting access to files. For example, it may be advantageous to restrict access to a configuration file, since the configuration file may be utilized to breach the security of the system. Likewise, it is advantageous to prevent most processes from being able to read or write to files containing password information.
To restrict access to files, known trusted operating systems associate access information with each file stored on a file system. Specifically, the file structure is modified to include an additional permission data structure with each file. The permission data structure contains essentially a list of identifiers with each identifier specifying a group of processes that are allowed to access the respective file. When a process attempts to access a particular file, the process performs a system call to the kernel. The identifier of the process is obtained by the kernel routine associated with the system call. The kernel routine accesses the file by reading the list of identifiers. A logical comparison is made between the identifier received from the process and the list of identifiers. If a match is found, the kernel routine performs the access operation (e.g., opening the file). If no match is found, the kernel routine does not perform the access operations and, instead, returns an exception (e.g., error message).
Although associating such a data structure with each file does restrict certain processes from accessing certain files, this approach is problematic in many respects. First, the amount of permission data is large, because file systems of ordinary complexity typically contain thousands of files. Secondly, the task of synchronizing permission data with file creation and file deletion is challenging. For example, many processes may create and delete files during their operation. If permission data is created or modified for each file operation, system performance is significantly degraded. Moreover, if permission data is also maintained by a system administrator, system administration is quite cumbersome when the number of files exceeds a small number.
It shall be appreciated that associating the additional data structure with each file causes the file system format to be incompatible with other file system formats. In particular, this approach is incompatible with the file system formats utilized by traditional UNIX operating systems. Thus, once data is stored in the above format, well-known applications and utilities cannot be utilized with the preceding access limiting file structure.